SUBMITTED TO IEEE TRANSACTIONS ON RELIABILITY 1. Prior Robustness for Bayesian implementation of the Fault Tree Analysis

Prior Robustness for Bayesian implementation of

the Fault Tree Analysis

Chaitanya Joshi, Fabrizio Ruggeri and Simon P. Wilson

Abstract—We propose a prior robustness approach for the Bayesian implementation of the fault tree analysis (FTA). FTA is often used to evaluate risk in large, safety critical systems but has limitations due to its static structure. Bayesian approaches have been proposed as a superior alternative to it, however, this involves prior elicitation, which is not straightforward. We show that minor mis-specification of priors for elementary events can result in a significant prior mis-specification for the top event. A large amount of data is required to correctly update a mis-specified prior and such data may not be available for many complex, safety critical systems. In such cases, prior mis-specification equals posterior mis-mis-specification. Therefore, there is a need to develop a robustness approach for FTA which can quantify the effects of prior mis-specification on the posterior analysis.

Here, we propose the first prior robustness approach specifically developed for FTA. We not only prove a few important mathe-matical properties of this approach, but also develop easy to use Monte Carlo sampling algorithms to implement this approach on any given fault tree with AND and/or OR gates. We then implement this Bayesian robustness approach on two real life examples: a spacecraft re-entry example and a feeding control system example. We also provide a step-by-step illustration of how this approach can be applied to a real life problem.

Index Terms—Fault tree analysis, prior elicitation, distorted band of priors, Bayesian robustness, Bayesian networks.

NOMENCLATURE AHP Analytic Hierarchy Process. BN Bayesian Networks. FT Fault Tree.

FTA Fault Tree Analysis. TE Top event.

w.r.t. with respect to.

I. INTRODUCTION

F

TA is often used to quantify the probability of occurrence of an undesirable event, namely the TE. FTs are constructed in a top-down fashion from the TE to their causes - represented by the intermediate and elementary events in the tree. The relationship between the events and the causes is represented using logical gates, most commonly AND and OR gates. The basic assumptions of the standard FTA are: (i) events are Bernoulli trials e.g. either happen or do not happen; (ii) events are statistically independent; (iii) the relationship between events are represented using C. Joshi is with the Department of Mathematics and Statistics, University of Waikato, Hamilton,3240 New Zealand e-mail: [email protected]

F. Ruggeri is with CNR IMATI, Milan, Italy and S.P. Wilson is with Discipline of Statistics, Trinity College Dublin, Dublin, Ireland.

Manuscript received April 17, 2017

logical AND and OR gates and (iv) the root of the FT is the undesirable TE to be analyzed [1].

A. FTA and Bayesian Networks

One of the common criticisms [2] of the FTA is that the events are considered independent of each other, which can be an unrealistic assumption. BN have been recommended as a way to incorporate local dependence between events, as well as providing a framework for both forward (prediction) and backward (inference) analyses; see for example [1], [2] and [3]. An FTA can be directly mapped into a BN and that permits the assumptions (i) - (iii) to be relaxed under the BN formalism [1]. Additionally, BN can model uncertainty in an outcome - instead of the deterministic outcomes implied by the logical gates in an FTA. In other words, BN can be seen as a natural extension of FTA [3].

However, BN have their own drawbacks: (1) the typical BN approach requires specifying exact prior probabilities (not just the prior distributions) of the elementary events and (2) it also requires specification of all the conditional probabilities in the system. In many cases, especially when designing new systems, sufficient prior information is not available and hence it may not be possible to even specify exact prior probabilities let alone all the conditional probabilities accurately. As the number of nodes and the dependency structures increase, specifying the information needed by BN accurately becomes increasingly unrealistic. FTA is relatively easier to implement. Also, in many cases (including the Examples B and IV-C in this paper), the flexibility offered by BN is not needed. Unrelated events may be independent and hence dependence structures may not be required. Similarly, when the TE oc-curs for sure (deterministically) once the required elemen-tary/intermediate events have occurred, modeling uncertainty in the outcomes is not necessary. Another disadvantage of BN is that incorporating a previously unknown part of the network becomes computationally very expensive as the size and the complexity of the network grows (see, for example, [4]). On the other hand, this is relatively easily done for FTA. B. Fully Bayesian implementation of FTA

uncertainty in the prior knowledge which can not be done in the typical FTA. Another advantage of the Bayesian generalization of FTA is that it permits uncertainty in and learning about the event probabilities to be incorporated. Prior distributions on the probabilities of elementary events are elicited and then the logic of the fault tree can be used to derive the prior of any intermediate event and the TE. These distributions are updated on observation of the TE or other events through Bayes law. Further, the posterior uncertainties can be easily integrated out by finding the posterior summary statistics such as a posterior mean or a posterior credible interval for the probability of the TE.

This approach was applied in [5], who described a process to elicit Beta distribution priors on the elementary event proba-bilities, and used simulations to derive the prior distribution for the probability of the TE from those of the elementary events. [5] also described a method for updating these distributions in light of observation of any event or combination of events in the fault tree and applied this approach to the spacecraft re-entry problem (see Section IV-B).

C. Prior elicitation for FTA

Eliciting prior distributions for the elementary events by quantifying expert opinion is usually not straightforward. Unfortunately, this area has received very little attention relative to modeling and the practicalities of implementing Bayesian inference. The few papers that do propose Bayesian elicitation methods for FTA such as [5], [6] and [7] propose moment matching approaches. The moment matching approach is one of the most common prior elicitation approaches (see, for e.g. [8]) and relies on elicitation of a small number of statistics. A prior distribution is then elicited by finding the parameter values for which the population moments match very closely with the elicited moments. For an accurate elicitation of the prior distribution, the number of statistics must be at least equal to the number of unknown parameters of the distribution. A typical choice of statistics includes measures of the central tendency as well as measures of the variability/spread. The exact choice of statistics often depends on the information available (i.e what can be elicited) as well as the distribution concerned. Since we are concerned with FTA where, typically, each event is a binary event, a standard choice for the prior distribution would be the Beta distribution. In Examples IV-B and IV-C we illustrate how Beta distribution priors can be elicited in different ways. In Example IV-D we illustrate how the moment matching approach can be used to elicit Gamma distribution priors.

Another important approach to prior elicitation that has been used (see, for example [5]) in risk assessment is the use of pairwise comparisons. The prior for the probability of one event is elicited. For other events, their relative chance in comparison to this event is then elicited, and that is used to construct their prior distributions. Other pairwise comparisons may be made to validate the elicitation. The idea is that comparisons are the easiest judgment to make and so the process is simplified, see [9], [10].

D. Bayesian robustness for FTA

Both Bayesian approaches - the BN as well as the fully Bayesian FTA require specification of priors. As [5] points out for the spacecraft re-entry example though, for complex systems with very little data, getting experts to elicit even a mean value (for the probability of occurrence for an elementary event) could be an uphill task simply because of the lack of information. As a result, it is likely that the elicited priors are not entirely accurate. The prior probabilities can be updated using the Bayes theorem. However, if they are incorrectly specified then it can take a lot of data to update the prior probabilities in any meaningful way. Such a data may not be available firstly, since the TE often being an undesirable event, is designed to be highly unlikely to occur and secondly, because the data collection may be very complex and expensive. As we illustrate in Section IV , even the relatively small errors in prior elicitation of the elementary events can snowball into large distortions to the prior distribution of the TE, especially for fault trees with a series of OR gates or with multiple elementary events feeding into an OR gate. Erroneous priors can lead to an erroneous analysis which is particularly undesirable considering the applications for which FTA is typically used.

Therefore, it is important to develop Bayesian robustness approaches for BN and for the fully Bayesian implementation of the FTA. Bayesian robustness approaches can quantify the changes to the posterior distribution (or its functionals) given the changes to the prior distributions or to the data. Thus, it enables the computation of the distortion to a posterior distribution (or its functionals) as a result of any distortions to the prior distributions.

In this paper, we develop a Bayesian robustness approach for the fully Bayesian implementation of FTA. We use the new class of priors called the distorted band of priors developed by [11]. This class is based on stochastic ordering and distortion functions. The rest of this paper is organised as follows. In Section II, we provide a brief introduction to Bayesian robustness, describe the distorted band of priors and prove a few important properties of the distorted band obtained using power functions. We develop the robustness approach for analyzing the fault trees in Section III. In Section IV we illustrate the application of this approach to challenging real life problems. We close this paper with a summary and future work in Section V.

of any single prior is in practice impossible and instead a class of priors is the natural alternative [13]. A class of priors can be defined in many ways. In this paper we propose to use the class of priors called the distorted band of priors [11]. We use this class because it is readily applied to the FTA, is easy to interpret and is also computationally easy to implement using the rejection sampling algorithms we develop in Section III-C. The distorted band of priors is described below. For a general introduction and details on Bayesian robustness, the reader is referred to [14].

A. The distorted band of priors

Before defining the distorted band of priors, we need to define a few related concepts. A distortion function h is a non-decreasing continuous function h : [0, 1] −→ [0, 1] such that h(0) = 0 and h(1) = 1. When h is used to transform the distribution function F ,

Fh(X) = h ◦ F (x) = h[F (x)]

represents a perturbation of F in order to measure the un-certainty about it. Note that Fh(X) is also a distribution

function for a particular random variable denoted by Xh and

the distorted density is given by

fh(X) = h0[F (x)] · f (x).

Random variables can be assigned ordering in different ways. For two random variables X and Y , X is said to be smaller thanY in the stochastic order sense (denoted by X ≤st Y )

if

FX(t) ≥ FY(t), ∀t ∈ R.

For absolutely continuous [discrete] random variables X and Y with densities [discrete densities] fX and fY, respectively,

X is said to be smaller than Y in the likelihood ratio order sense (denoted by X ≤lr Y ) if

fY

fX

increases over the union of the supports of X and Y . A desirable choice for distortion functions is to consider convex and concave functions. This is because it can be shown [11] that, if π is a specific prior belief with distribution function Fπ and h is a convex (concave) distortion function

in [0, 1], then π ≤lr (≥lr)πh. Thus, if the decision maker is

able to represent the changes to a prior belief π by a concave distortion function h1 and a convex distortion function h2,

then it leads him to two distorted distributions πh1 and πh2

such that πh1 ≤lr π ≤lr πh2. This defines the class of priors

called the distorted band of priors Γh1,h2,π as

Γh1,h2,π= {π

0_{: π}

h1 ≤lr π

0_≤

lr πh2}. (1)

It is evident that π ∈ Γh1,h2,π. Therefore the distorted band

can be seen as a particular ”neighbourhood” band of π. A popular choice for distortion functions h1 and h2 are power

functionsgiven by

h1(x) = 1 − (1 − x)α and h2(x) = xα, ∀α > 1. (2)

Note that if we take α = n ∈ _{N in (2), then} Fπ_h1(θ) = 1 − (1 − Fπ(θ))n and Fπ_h2 = (Fπ(θ))n

which correspond to the distribution functions of the minimum and the maximum, respectively, of an i.i.d. random sample of size n from the baseline prior distribution π.

While the distorted bands obtained using (2) are centered around the prior belief π, the parameter α controls the width of the interval. Increasing α not only monotonically increases the width of the distorted bands but a distorted band obtained using a smaller α is completely contained inside the band obtained using a larger α. Here, we prove this intuitive but important property. Let X ∼ F (x), Xh1(α1) and Xh2(α1) be the random variables

corresponding to Fh1,α1(x) = 1 − [1 − F (x)]

α1 _and

Fh2,α1(x) = [F (x)]

α1 _{respectively. Similarly, let X}

h1(α2)

and Xh2(α2) be the random variables corresponding to

Fh1,α2(x) = 1 − [1 − F (x)]

α2 _{and F}

h2,α2(x) = [F (x)]

α2

respectively. Also, let fh1,α1(x), fh2,α1(x), fh1,α2(x) and

fh2,α2(x) be the corresponding densities.

Lemma II.1. Given 1 ≤ α1 ≤ α2⇒ Xh2(α1) ≤st Xh2(α2)

and Xh1(α1) ≥stXh1(α2). Proof. 1 ≤ α1 ≤ α2 ⇒ [F (x)]α1 ≥ [F (x)]α2 ⇒ Xh2(α1) ≤stXh2(α2). Also, [1 − F (x)] α1_{≥ [1 − F (x)]}α2 _⇒ 1 − [1 − F (x)]α1 _{≤ 1 − [1 − F (x)]}α2 _{⇒ X} h1(α1) ≥st Xh1(α2).

It is well known that

X ≤lr Y ⇒ X ≤stY.

See for example [11], [15] and [16]. However, we will show here that when the distortion funtions are defined as in (2), the relationship between the likelihood ratio order and the stochastic order also holds in the other direction.

Lemma II.2. Given 1 ≤ α1≤ α2, Xh2(α1) ≤stXh2(α2) ⇒

Xh2(α1) ≤lr Xh2(α2) and Xh1(α1) ≥st Xh1(α2) ⇒ Xh1(α1) ≥lrXh1(α2). Proof. fh1,α1(x) fh1,α2(x) =α1f (x)[1 − F (x)] α1−1 α2f (x)[1 − F (x)]α2−1 = α1 α2 [1 − F (x)]α1−α2_,

which is an increasing function in x and hence Xh1(α1) ≥lr

Xh1(α2). Similarly, fh2,α2(x) fh2,α1(x) =α2 α1 [F (x)]α2−α1_,

which is an increasing function in x and hence Xh2(α1) ≤lr

Xh2(α2).

Theorem II.1. When the distortion functions are defined as in (2), (i)X ≤stY ⇒ X ≤lrY , (ii) 1 ≤ α1≤ α2⇒ Γα1 ⊂ Γα2

and (iii)Γα→ F (x) as α ↓ 1.

(iii) By extending Theorem II.1 (ii) as a continuous function of α and that lim α→1+1 − (1 − F (x)) α_{= F (x), lim} α→1+F (x) α_{= F (x).}

A very useful consequence of the likelihood ratio definition is that, if the two prior distributions are ordered in the ≤lr

sense, then the corresponding posterior distributions are also ordered in the same sense, see [17]. That is, given two prior distributions π1and π2such that π1≤lrπ2, the corresponding

posterior distributions also satisfy π1x≤lr π2x. Similarly, for

all π0∈ Γh1,h2,π, we obtain that πh1x≤lr π

0

x≤lrπh2x. That

is, the posteriors of the lower and upper bound of the prior distortion band are also the lower and upper bounds for the family of all posterior distributions, Γx, in the ≤lr sense.

Γx can be considered as the distortion band of the posterior

belief for some particular concave and convex functions.

B. Measuring uncertainty using a metric

Various distance measures can be used to compare the original prior and its distortions and also the original posterior and its distortions. The preference towards the use of a particular metric is usually based on their mathematical tractability and interpretation. It is for these reasons, that here, we prefer to use the Kolmogorov metric. It has a very practical interpretation and a concise mathematical formula that enables elicitation of α (see Section III-A).

The Kolmogorov metric measures the maximum absolute difference between the two distribution functions and is de-fined by

K(X, Y ) = sup

x∈R

|FX(x) − FY(x)|. (3)

It can be shown that if h is a differentiable (concave or convex) distortion function, then the Kolmogorov distance between π and πh is given by K(π, πh) = sup x∈R |Fπ(x) − Fπh(x)| = ( p0− h(p0), if h is convex, h(p0) − p0, if h is concave, (4) where p0 satisfies h0(p0) = 1 and the argument of the

maximum is achieved at θ0= Fπ−1(p0). Further, it can also be

shown that if the distortion functions are defined as in (2) then, the Kolmogorov metric is given by the following expression:

K(π, πh1) = K(π, πh2) =

α − 1

α−1√_αα. (5)

III. BAYESIAN ROBUSTNESS APPROACH FOR FAULT TREES Given that a prior distribution has been elicited for each of the elementary events (for the probability of the occurrence of that event/ probability of failure of that component), we propose the following approach to implement Bayesian robustness methods on fault trees. The details of how some of these steps can be achieved are discussed in the remainder

of this section.

Bayesian robustness for FTA - an outline

• Build a distorted band of priors for each event - see III-A.

• Simulate through the FT using algorithms A1 - A4 (see III-B and III-C) to find the prior distribution and the distorted band of priors for the intermediate events and the TE.

• Find the posterior distribution for the TE given the prior

distribution and the data.

• Find the lower and the upper distortion bands for the posterior distribution of the TE given the distorted bands for the prior and the data.

A. Use of the Kolmogorov metric

We propose to build the distorted band of distributions using the power functions described in (2). In practical applications, the main question is how to correctly choose the value of α. The Kolmogorov metric between the original distribution and the upper and the lower bounds of the distorted band obtained by the power function is given by (5). The value of α can be elicited by inverting this relationship. The Kolmogorov metric measures the maximum absolute discrepancy between any given pair of distributions. After having elicited the prior distribution, the expert may be prepared to guess how far off this prior distribution could be from the truth. For example, the expert may say that she expects the prior to be no more than 10% off the mark. This implies that K(π, πh1) = K(π, πh2) ≤ 0.1 (since

0 ≤ F (x) ≤ 1). Thus, 0.1 would be a conservative estimate of K. Using a computer program, it is now possible to find the value of α that yields K = 0.1 using (5).

Alternatively, a rough estimate of α can be obtained using the following approximation. Let K(π, πh1) = K(π, πh2) =

K. Then, K = _α−1α − 1√ αα ≈ α − 1 α assuming α−1√_αα_{≈ α} ⇒ α ≈ 1 1 − K. (6)

Note that this estimate of α obtained using (6) will be an optimistic estimate for a given value of K. In our case though, since the value of K itself was conservatively chosen, the estimate of α should be reasonably accurate. For example, suppose the maximum 10% discrepancy occurs when F (x) = 0.6 (in reality this would not be known beforehand), meaning that the true K = 0.06. The corresponding true value of α, obtained using a computer code is 1.175, whereas by using the conservative estimate K = 0.1 in (6) gives α = 1.1111.

30% deviation from the true prior. (6) can be used as long as 0 ≤ K < 1. and (5) is valid for any K > 0 in principal. B. Distortion bands for intermediate and top events

One important question that we want to possibly answer is that given the distortion bands for the elementary events what can we say about the distortion bands for the intermediate and the top events? Consider two simple fault trees illustrated in Fig. 1. Each one has three elementary events X1, X2 and

X3 and a top event Y . The difference is that in tree [a],

the elementary events are linked to the top event using an OR operation whereas in [b] they are linked using an AND operation.

Assuming that each Xi ∼ Bernoulli(θi) and

Y ∼Bernoulli(θ), where θi = P (Xi = 1), and

θ = P (Y = 1), then θ = 1 − Q3

i=1(1 − θi) for [a]

and θ = Q3

i=1θi for [b]. Let πi(·) be the prior distribution

on θi, i = 1, 2, 3, and π(·) be the prior distribution on

θ. Let Γi = (πh1i, πh2i) be the distortion band for πi and

Γ = (πh1, πh2), the distortion band for π.

Fig. 1. Two simple fault trees (a) using an OR operation and (b) using an AND operation.

Then we have that π(θ = τ ) = Z ΩO τ π1(τ1)π2(τ2)π3(τ3) dτ1dτ2dτ3, (7) where ΩOτ = {τi∈ [0, 1], i = 1, 2, 3 : 1 −Q 3 i=1(1 − τi) = τ }

for the OR operation, and π(θ = τ ) = Z ΩA τ π1(τ1)π2(τ2)π3(τ3) dτ1dτ2dτ3, (8) where ΩAτ = {τi ∈ [0, 1], i = 1, 2, 3 : Q 3

i=1τi = τ } for the

AND operation. Extending the logic, we would like to assume that for the distorted band of priors the following holds:

πh1(θ = τ ) = Z ΩO τ πh11(τ1)πh12(τ2)πh13(τ3) dτ1dτ2dτ3, (9) and πh2(θ = τ ) = Z ΩO τ πh21(τ1)πh22(τ2)πh23(τ3) dτ1dτ2dτ3, (10) From Equations 7 and 8 it is clear that the prior π(·) for an intermediate or a top event will seldom be available in closed form. Mostly, the only way to obtain π will be by simulation. Similarly, the only way to obtain the distortion bands for the

intermediate and the top events will be by simulation. Below we present algorithms to do these. For the purposes of the following algorithms, let θ denote the probability of failure. Also, we assume that there are K elementary events in the fault tree.

Algorithm A1: to simulate prior distributions for inter-mediate and top events

1) Sample θij ∼ πi(θi), j = 1, . . . , N, i = 1, . . . , K .

2) For each j, run through the whole tree to find the probability of failure θ at the intermediate and the top events.

3) This generates the empirical prior distributions for the intermediate and the top events.

Algorithm A2: to simulate distortion bands for the prior distributions for intermediate and top events

1) Sample θij ∼ πh1i(θi), j = 1, . . . , N, i = 1, . . . , K.

2) For each j, run through the whole tree to find the probability of failure θ at the intermediate and the top events.

3) This generates the empirical prior distributions πh1 for

the intermediate and the top events.

4) Repeat steps 1 − 3 for πh2i, i = 1, . . . , K to obtain the

empirical prior distribution πh2.

Note that A2 assumes that it is sufficient to sample from πh1i’s to obtain πh1 and to sample from πh2i’s to obtain πh2.

We’ll now prove that this assumption is indeed valid. To do this, we define a (1 − δ) probability interval for each θi as

Ii(δ) = (θiL, θiU) such that P (θiL ≤ θi ≤ θiU) = 1 − δ, for

0 ≤ δ ≤ 1. Ii(δ) represents the interval we can sample from

with probability (1 − δ). Let events E1, . . . , EK be connected

to an event E through an OR gate, that is E = ∪Ki=1Ei and

let I(δ) = (θL, θU) represent the (1 − δ) probability interval

for E. Then, we can prove the following.

Theorem III.1. θL= 1 −QK_i=1(1 − θiL), θU = 1 −

QK i=1(1 − θiU) and θL < 1 − QK i=1(1 − θ 0 i) < θU for any θiL < θ 0 i < θiU.

Proof. Suppose, on the contrary that, for every i, ∃ θ_i0 > θiL

such that θL= 1 −Q K i=1(1 − θ0i). But θiL < θ 0 i ⇒ K Y i (1 − θiL) > K Y i (1 − θ0i) (0 ≤ θiL < θ 0 i < 1) ⇒ 1 − K Y i (1 − θiL) < 1 − K Y i (1 − θ0_i) ⇒ θL < 1 − K Y i=1 (1 − θ_i0).

Similarly, we can show that 1 −QK

i=1(1 − θ 0 i) < θU.

Now, suppose that events E1, . . . , EK are connected to an

event E through an AND gate, that is E = ∩K

i=1Ei. Then, we

Proof. Similar as above.

Note that in general, Fh1 ≤st F ≤st Fh2 ⇒ θh1L ≤

θL ≤ θh2L and θh1U ≤ θU ≤ θh2U. When defining

distortion functions using (2), this ordering is also implied by πh1 ≤lr π ≤lr πh2 because of Theorem II.1. In fact, one can

see that θL(θU) is a decreasing (increasing) function of α

and that for 1 ≤ α1< α2, Iα1(δ) ⊂ Iα2(δ). Theorems III.1

and III.2 imply that in order to obtain the distorted lower (upper) bands for the intermediate/top event by sampling from them, it is necessary and sufficient to sample only from the respective lower (upper) bands of the elementary events. In Section IV-A we use simulation to illustrate this property. Further we also show that sampling through the distorted bands of the elementary events obtained using a smaller α will generate the distorted bands for the intermediate/top events that are contained within the distorted bands corresponding to a larger α.

C. Sampling from the distorted priors

Fig. 2. Beta(2, 5) (continuous). Left The true distorted lower band for α = 1.25 obtained using the concave function h1(long-dashed) against the

lower band obtained by sampling using Algorithm A3 (dotted). Right The true distorted upper band using the convex function h2(long-dashed) against

the upper band obtained by sampling using Algorithm A4 (dotted). Algorithm A2 requires sampling θij∼ πh1i and θij∼ πh2i

respectively. However, πh1i and πh2i may not be available

in closed form and hence sampling from them may not be straightforward. We show that it is possible to sample from πh1i and πh2i using a rejection sampling scheme.

Note that πh1i = d dθi Fh1i(θi) = d dθi h1[Fi(θi)] = πi(θi)h01[Fi(θi)] ≤ πi(θi)h01[0], (11)

since h1 is concave and therefore h01 is decreasing

(Arias-Nicol´as et al. (2015)). This implies that πh1i h0₁[0]πi = πi(θi)h 0 1[Fi(θi)] πi(θi)h01[0] ≤ 1.

Similarly, since h2 is convex and therefore h02 is increasing,

it can be shown that

πh2i ≤ πi(θi)h

0

2[1]. (12)

Using these inequalities, and based on Arias-Nicol´as et al. (2015), we propose the following rejection sampling1

algorithms to sample from πh1i and πh2i, respectively.

Algorithm A3: to simulate from πh1i for h1i concave

1) Sample θij ∼ πi(θi), j = 1, . . . , N, i = 1, 2, 3 and uj ∼

U (0, 1) independently. 2) For each j, check if uj ≤

h0₁[Fi(θij)]

h0 1[0]

• If this holds, accept θj as a realisation of πh1i.

• If not, reject the value θij.

Algorithm A4: to simulate from πh2i for h2i convex

1) Sample θij ∼ πi(θi), j = 1, . . . , N, i = 1, 2, 3 and uj ∼

U (0, 1) independently. 2) For each j, check if uj ≤

h0 2[Fi(θij)]

h0 2[1]

• If this holds, accept θj as a realization of πh2i.

• If not, reject the value θij.

Note that when using power functions described in Equation (2), πh1i h0₁[0]πi = πα[1 − F (·)] α−1 πα = [1 − F (·)] α−1_, πh2i h0₂[1]πi = πα[F (·)] α−1 πα = [F (·)] α−1_{. (13)}

Therefore, for uj∼ U (0, 1), we accept θj:

in Algorithm A3 if: uj ≤ [1 − F (·)]α−1,

in Algorithm A4 if: uj ≤ [F (·)]α−1. (14)

Fig. 2 compares the true (mathematically obtained) distortion bands for a Beta(2, 5) distribution against the bands obtained by sampling using algorithms A3 and A4. It illustrates that algorithms A3 and A4 can sample from the distorted distributions quite accurately.

IV. APPLICATIONS

A. Example: distortion bands for simple fault trees

Consider the two simple fault trees in Fig. 1. We now illustrate how the prior distributions and the distorted bands for the prior distributions can be obtained for the intermediate/top events. Assume that the prior distributions for the probabilities θ1, θ2 and θ3 of the elementary events

X1, X2, X3 are Beta(1,10), Beta(2,10) and Beta(3,20)

respectively for both the trees. The prior distribution for probability θ of the TE Y is obtained by algorithm A1. See Fig. 3.

Algorithms A3 and A4 were used to sample from the distorted priors (lower and upper, respectively) for θ1, θ2 and

θ3. Then the distorted bands for the prior distribution for θ

were obtained using algorithm A2 for fault trees [a] and [b]. These are shown in Fig. 4 along with the original priors. Fig. 4 also illustrates that Γα1 ⊆ Γα2, when 1 ≤ α1 ≤ α2 holds

even for the distorted bands of the intermediate/top events.

1_{Rejection sampling is a Monte Carlo sampling method to enable sampling}

Fig. 3. Left Priors for θ1 (continuous), θ2 (dashed) and θ3 (dot-dashed).

Centre Prior distribution for θ for the fault tree [a] and Right for fault tree [b].

Fig. 4. Prior for the probability θ of the TE Y (continuous), the distorted bands using α = 2 in long-dashed lines for the fault tree [a] (top most) and fault tree [b] (second from the top). Distorted bands obtained using α = 1.8 are shown in dotted lines. Corresponding distribution functions are shown for the fault tree [a] (third from the top) and fault tree [b] (bottom most).

B. Spacecraft re-entry example

Risk elicitation in complex systems is challenging, especially when there are multiple elementary events and the observed data is rare/sparse. One such example is that of a spacecraft re-entering the earth’s atmosphere. A Bayesian approach to elicit the risks during a spacecraft re-entry was recently developed by [5]. Their approach uses a fault tree

Event Description

T E Explosion of the spacecraft

E21 Chemical reaction of propellant and air

E22 Burst of pressure vessel

E23 Chemical reaction between hypergolic propellants

E24 Burst of battery cell

E11 Sudden release of propellant (due to burst of pressure vessel E22)

E12 Slow release of propellant

E01 Valve leakage E02 Tank destruction E03 Pipe rupture E13 Chemical reactions E14 Over pressure E15 Short circuit E16 Corrosion E17 Over charge E18 Over discharge E19 Over temperature E110 Cell degradation TABLE I

DESCRIPTION OF EVENTS FOR THE SPACECRAFT RE-ENTRY EXAMPLE

to model the probability of an explosive break-up of the spacecraft during the re-entry process. The elementary events in this case are the (assumed independent) causes that can eventually lead to the explosive break-up. Eliciting priors required interviewing several experts because the causes are varied and no one individual was an expert on all of them. Since access to the experts was time limited, typically, information was sought from an expert to elicit prior for one of the elementary events he/she was an expert on. The expert was then asked to make a pairwise comparison between the events under their expertise in terms of which of the events are more likely. The Analytic Hierarchy Process (AHP) [19] was used to derive weights to the remaining events to elicit a prior distribution for these events. These priors were then used to determine the prior distribution of the top event (explosive break-up) and eventually to find the posterior distribution of the top event given observation of elementary or intermediate events.

For applications such as the spacecraft re-entry example, we want to highlight the following important points.

1) Prior elicitation is prone to multiple errors 2) Erroneous prior ⇒ erroneous posterior analysis. We elaborate on these points below.

the errors introduced by the AHP used in the spacecraft example and also by the accuracy of the computer code used to match the Beta distributions to the parameters elicited by the expert. Finally, it is influenced by the subjectivity/bias of the experts. This is especially true in situations where only one expert is consulted for eliciting a particular prior - which was the case for the spacecraft re-entry example. Seeking opinion from multiple independent and impartial experts can reduce this error - but this may not be possible in many cases due to the time and resource constraints.

In Bayesian analysis it is well known that, if only a small amount of data is available then the posterior distribution is likely to be dominated by the prior distribution. For a complex and highly expensive system such as a spacecraft used for re-entry, the data available is sparse at best and no more than a very few observations are available. This means that, in practice, the posterior will be nearly identical to the prior distribution. This is illustrated in Fig. 5. The prior distribution indicates the prior uncertainty around a spacecraft break-up event. In this case, the prior distribution has a mode just below 0.3. It takes the data on 10 identical re-entries with 1 break-up event (indicating the true probability of break up to be around 0.1,) for the posterior to be noticeably different to the prior distribution. Even then, the posterior is only slightly different than the prior. Note that for a spacecraft re-entry application, one is most likely to have only one or two observations on identical systems, not ten. For this reason, the prior and the posterior distributions will be nearly identical, as can be seen in Fig. 8. In other words, any errors made while eliciting the prior information will be directly transferred to the posterior distribution.

Therefore, it is vitally important to assess the robustness of the Bayesian procedure with respect to the mis-specification of the prior. We will now apply the robustness approach developed for the fault trees in Section III to determine the robustness of the Bayesian approach proposed by [5].

Fig. 5. Prior distribution for θT E(continuous) contrasted against its posterior

(long-dashed) distribution. Left n = 3 and one break-up is observed. Right n = 10 and one break-up is observed. Note that for n = 3, the prior and the posterior are almost identical.

The fault tree used to model the spacecraft re-entry problem is shown in Fig. 6 [a]. The description of the events is detailed

Fig. 6. [a] The fault tree used to model the spacecraft re-entry problem and [b] the simplified fault tree in minimum cut-set representation.

in Table I. Since the event E11 is equivalent to the event

E22 and all the gates in the tree are OR gates, there are 13

minimal cut sets each consisting of exactly one elementary event. Therefore, the simplified version of the tree consists of only thirteen elementary events all connected by a single OR gate as shown in Fig. 6 [b]. Note that the representation [a] is still relevant since, in practice, we may observe one or more of these intermediate events while other elementary events or the top event are unobservable (see [5] for details). An event Ej can only take two values: 1 (event occurs) or 0

(event does not occur) and hence the events were modeled as Ej ∼ Bernoulli(θj) and the priors as g(θj) ∼ Beta(αj, βj)

for ∀j. For prior elicitation, the events were divided into three groups:

Group G1 = {E22, E23},

Group G2 = {E01, E02, E03} and

Group G3 = {E13, E14, E15, E16, E17, E18, E19, E110}.

We assume that the priors were elicited for the event E22

in group G1, event E01 in group G2 and event E13 in group

G3. This was done by matching the central 95% probability interval specified by the expert with the 2.5th_{and the 97.5}th

percentiles of a Beta distribution and identifying the values of the parameters α and β (using a computer code) that provide the closest match. The AHP was then used to quantify the expert opinion on how likely the remaining events in each group were compared to the one already elicited. The AHP matrices thus obtained are as follows:

G1 =  1 5 1/5 1  , G2 =   1 3 1 1/3 1 1/3 1 3 1   and G3 =    1 · · · 1 .. . . .. ... 1 · · · 1   .

Event Weight Range Elicited prior E22 0.83333 (0.01, 0.05) Beta(6.3,233) * E23 0.16667 (0.002,0.01) Beta(6.4,1214) E01 0.42857 (0.01, 0.04) Beta (8.3,360)* E02 0.1428 (0.0033,0.0133) Beta(8.3,1104) E03 0.42857 (0.01,0.04 ) Beta(8.3,360) E13 0.125 (0.014, 0.055) Beta (8.4,261)* E14 0.125 (0.014, 0.055) Beta (8.4,261) E15 0.125 (0.014, 0.055) Beta (8.4,261) E16 0.125 (0.014, 0.055) Beta (8.4,261) E17 0.125 (0.014, 0.055) Beta (8.4,261) E18 0.125 (0.014, 0.055) Beta (8.4,261) E19 0.125 (0.014, 0.055) Beta (8.4,261) E110 0.125 (0.014, 0.055) Beta (8.4,261) TABLE II

ELICITED PRIORS OBTAINED USING THEAHPPROCESS. *INDICATES THAT THE PRIOR WAS ELICITED USING THE RANGE PROVIDED BY THE

EXPERT

The top event (TE) corresponds to whether the spacecraft exploded or not during the re-entry. Thus, TE can only take two values: 1 (exploded) or 0 (did not explode). It can be seen that T E ∼ Bernoulli(θT E), where θT E = 1 −Qj(1 − θj).

Thus, if the data was obtained from n identical spacecraft re-entries then T E ∼ Binomial(n, θT E). We assume that

only the top event is observed and that none of the elementary events are directly observed.

Our synthetic data is obtained from the re-entry of 3 spacecrafts under identical conditions. The three observations are considered independent. Without loss of generality, we assume that the spacecraft exploded only during the second of the three re-entries. Thus, the observed data for TE is {0, 1, 0}. The likelihood is therefore given by:

L(T E|θT E) =

3 1 

θT E(1 − θT E)2. (15)

The prior distribution for θT E is obtained by sampling

from the prior distributions of the elementary events and simulating through the fault tree (algorithm A1). The posterior distribution is obtained using the importance sampling2 approach described in [5]. The prior and posterior distributions for TE are plotted in Fig. 8.

Distortion bands were constructed for the priors of all the elementary events using the power functions defined in Equation 2. We assume that K = 0.15, that is, each elicited prior distribution could be at most 15% off the mark and obtain α = 1.51 using Equation 5. The priors and the distortion bands obtained for each of them are shown in Fig. 7. The distortion bands (lower/upper) for the prior distribution of θT E were obtained by first sampling from the

distorted priors (lower/upper) using Algorithms A3/A4 and then using algorithm A2. The posterior distribution of θT E

were obtained for both the lower distortion band as well as the upper distortion band of the prior distribution of θT E. The 2_{Importance sampling is a weighted sampling method of Monte Carlo}

integration which samples from a candidate density for the sake of efficiency and computes a modified weighted integral which converges to the given integral. See, for example, [18] for details.

posterior distributions were obtained using the importance sampling method described in [5]. These are plotted in Fig. 8.

Fig. 7. Each of the unique priors (continuous) for the spacecraft example and the distorted bands obtained - lower band in dotted and upper band in long-dashed.

Fig. 8. Left The prior distribution of θT Eand its distortion bands. Right The

posterior distribution of θT Eand its distortion bands: lower band (dotted) and

upper band (long-dashed).

Fig. 8 illustrates two very important points.

will have a minor effect on the prior distribution of θT E.

However, Fig. 8 (left) illustrates that this is not the case and that the distortions in the prior distribution for the TE are quite significant - the mode shifting by about 0.05 in each direction.

2) When the data is sparse, prior mis-specification ≈ pos-terior mis-specification. As seen in Fig. 5, when the data is sparse (n = 3), the posterior distribution is almost entirely governed by the prior. Fig. 8 (right) highlights that in this case the mis-specification in prior distribution results in an almost identical mis-specification in the posterior distribution. So much so that both the figures look identical.

Thus, Fig. 8 vividly illustrates why studying the robustness of the prior distribution in the Bayesian implementation of the FTA is essential. The methods developed in this paper enable us to do that.

C. Feed Control System

We now consider a safety analysis example discussed by [2]. This concerns the performance of a feeding control system used to transfer propane from a propane evaporator to a scrubbing column. Here, an improper control of the feeding system is the TE and all components are assumed binary (work/fail). The list of components, their description and the prior probabilities (of their failure) are listed in Table III. The fault tree used to model this problem is shown in Fig. 9 [a]. Since there is an AND gate at the top of the fault tree, there are 10 minimal cut sets each consisting of one of the components E21, E22 and one of the components

E01, E02, E12, E24, E25. The simplified fault tree is shown in

Fig. 9 [b].

The first step in implementing FTA using a fully Bayesian approach is to specify priors for each of the elementary events. For this example, we know the prior probabilities as reported in [2]. We can consider these values as the mean values for the corresponding probability parameters θiand try

to find the parameters αi and βiof Beta(αi, βi) whose mean

is closest to the given probability value for each event Ei.

Note that for a Beta distribution, the mean is µ = α/(α + β), which implies β = α(1 − µ)/µ. That is, for a given µ there are infinitely many solutions of α and β. Therefore, we need to match one more statistic to find a unique combination of parameters. Here, we assume that the variance for each event is 0.03 and use a computer code to find the unique Beta distribution which matches the given mean and the variance. The prior distributions thus elicited are also listed in Table III. We use algorithm A1 to sample N = 20, 000 from the prior distribution of the TE. The mean of the sampled values is 0.2720, which matches the prior probability of the TE obtained by [2] using the standard FTA and the BN approaches. The distorted band of priors were obtained by assuming that K = 0.2 (which yields α = 1.75 using Equation 5) and by sampling using algorithms A3 and A4. The original priors and the distorted band of priors obtained

Fig. 9. [a] The fault tree used to model the feeding control system and [b] the simplified fault tree.

are shown in Fig. 10. The distorted band of priors for the TE were obtained using algorithm A2 and are shown in Fig. 11. The mean of the sampled values for the distorted lower and the upper bands of distributions are 0.13 and 0.4 respectively. Here too, one can see that small distortions to the prior distributions of the elementary events have resulted in significant distortion to the prior distribution of the TE.

Event Description Probability Elicited prior

T E Feed system improper control AND gate NA

E31 Manual valve improper control OR gate NA

E32 Automatic valve improper control OR gate NA

E21 Manual valve mechanical failure 0.1393 Beta (0.4,2.4715)

E22 Human failure in operating manual valve 0.2696 Beta (1.5,4.0638)

E23 No signal received by actuator OR gate NA

E24 Actuator mechanical failure 0.2015 Beta (0.9,3.5665)

E25 Automatic valve mechanical failure 0.3403 Beta (2.2,4.2648)

E11 No signal received by pressure controller OR gate NA

E12 Pressure relay failure 0.1538 Beta (0.5,2.7509)

E01 Pressure transmitter failure 0.1647 Beta (0.6,3.0429)

E02 Pressure controller failure 0.2818 Beta (1.6,4.0777)

TABLE III

DESCRIPTION OF EVENTS FOR FEED CONTROL SYSTEM EXAMPLE ALONG WITH THE PRIOR PROBABILITY AND THE CORRESPONDING ELICITED PRIOR DISTRIBUTION

Fig. 10. Each of the unique priors (continuous) for the feed control system example and the distorted bands obtained - lower band in dotted and upper band in long-dashed.

interval for the upper distortion band is (0.1160, 0.7430). Only the prior robustness analysis proposed in this paper allows one to discover that in fact that the mean prior probability of failure could be as high as 0.4 and that the prior probability of failure can be as high as 0.74. This information can have significant implications on the perceived reliability of a system.

D. Triple Modular Redundancy

The methodology proposed in this paper is applicable to events following virtually any distribution. Here, we illustrate how this works in a more general case. We do so by providing a step-by-step guide to implementing our method.

Fig. 11. Left The prior distribution of θT Eand its distortion bands obtained

using α = 1.75 lower band (dotted) and upper band (long-dashed). Right Corresponding distribution functions are also shown.

Consider the simple FT in Fig. 1 [a], but now assume that variables Xi, i = 1, 2, 3, denote time to failure and

are therefore modeled as Exp(1/λi), λi being the survival

parameter. This FT represents a triple modular redundancy system where the system will fail only if all three of the modules fail.

Step I: Elicit prior distributions for elementary events: Let gi(λi) be the prior distribution for λi and Gi(λi)

be the corresponding distribution function. Since λi’s are

survival parameters, a natural choice for gi(λi) could be

the Gamma distribution. The first task then is to elicit prior distributions. As described in Section I-C, this is often done using the moment matching approach. Examples IV-B and IV-C illustrate how this can be done in two different ways for the Beta distribution priors. Here we illustrate this for Gamma distribution priors.

We’ll use a Gamma(ai, bi) prior for λi. The mean µi and

the variance σ2

i for the Gamma random variables are µi =

ai/bi and σi2= ai/b2i. This gives

ai= µ2 i σ2 i and bi= µi σ2 i . (16)

an expected lifespan of 10 but because they are each made using different designs or materials, the expert believes that their variances are 1, 2 and 4 respectively. That is, the expert considers X1 to be the most consistent and

X3 the least. Using Equation (16) gives us the following

priors: λ1 ∼ Gamma(100, 10), λ2 ∼ Gamma(50, 5) and

λ3∼ Gamma(25, 2.5).

Step II: Priors for intermediate events & TE:

Given the prior distributions for the elementary events, we now need to compute the prior distributions for the intermediate events and the TE. As explained using Equations 7 and 8, the priors for intermediate events or the TE will seldom be available in closed form. We’ll obtain these priors by simulation. This involves sampling from the prior distribution of each of the elementary events and simulating through the FT using algorithm A1.

We first sample N = 20, 000 λi ∼ gi(.) for i = 1, 2, 3,

and then simulate a failure time for each of them. We now have N instances of the failure times for each of the three modules. This allows us to compute the failure time for the TE, namely the maximum of the three failure times. This gives us a sample of size N for the failure times for the TE from which the prior distribution of the TE can be calculated using kernel density estimation.

Step III: Quantify & account for errors in prior elicitation: Once the priors for the elementary events have been elicited, we need to quantify the errors made in eliciting them and obtain a distorted band of prior distributions for each of them to account for these errors. The width of the distortion band is governed by the power function parameter α as described in Equation (2). Higher value of α leads to wider distortion bands indicating greater uncertainty/error in the elicited prior. As described in Section III-A, the expert is asked to quantify how far off can their prior be from the truth in percentage terms. This quantification gives the Kolmogorov distance K. α can then be elicited using Equations (5) or (6).

This gives us the distorted band of priors (Gih1(λi), Gih2(λi)) around the elicited prior Gi(λi), where

Gih1(λi) = 1 − (1 − Gi(λi))

αi _{and G}

ih2(λi) = (Gi(λi))

αi_.

Note that the corresponding distorted probability densities are gih1(λi) = αigi(λi)(1 − Gi(λi))

αi−1 _and

gih2(λi) = αigi(λi)(Gi(λi))

αi−1_{. In most cases, the}

distortion bands for the elementary events, gih1 and gih2

won’t be in the form of standard statistical distributions. As a result, drawing samples or computing probabilities won’t be straightforward. Therefore, we use Algorithms A3 and A4 to draw samples from these distorted distributions. For uj∼ U (0, 1), we accept θj using Equation (14):

in Algorithm A3 if: uj ≤ [1 − Gi(.)]αi−1,

in Algorithm A4 if: uj ≤ [Gi(.)]αi−1. (17)

For standard distributions, this can be easily done using any statistical programming package.

Continuing the example, suppose that the expert believes that the elicited priors for the elementary events are each at most 20% off the mark. Using Equation (5) and a computer code, this gives α1 = α2 = α3 = 1.735. We pass the N

samples simulated in Step II through Algorithms A3 and A4 to generate samples from gih1 and gih2. In this case, the

acceptance rate was about 57%, so we end up having about 11, 500 samples from the distorted band of each of the prior distributions. The priors and their distorted bands are shown in Fig. 12.

Fig. 12. Left The elicited prior and the distortion band for λ1 using α1 =

1.735. Centre For λ2 using α2= 1.735. Right For λ3using α3= 1.735.

Step IV: Distortion bands for intermediate events & TE: Using the accepted samples, and similar to Step II, we can find the distortion bands for the intermediate events and the TE by simulating through the FT using Algorithm A2. We have (about 11, 500) samples of λi from each of the

distorted bands gih1 and gih2 for each of the priors gi. As

we did in Step II, we now simulate the failure times for each instance of λi and then compute the resulting failure time for

the TE. This gives us a sample (of about 11, 500) from the lower and the upper distortion bands for the prior distribution of the TE. The distortion bands can now be computed using kernel density estimation as in Step II. These are plotted in Fig. 13.

Fig. 13. Top The resulting prior density and the distortion bands for the TE Bottom Corresponding distribution functions.

the final step is to calculate the posterior distribution for the TE and the distortion bands of the posterior distribution for the TE. This allows one to update the risk assessment post observing the data. Posterior distributions and their distortion bands can also be obtained for any of the intermediate events or indeed the elementary events. Sampling based methods such as importance sampling or Approximate Bayesian Computation (ABC) can be used to compute the posterior distributions.

This was demonstrated in Example IV-B, where importance sampling was used to calculate posterior distribution of the TE. See [5] for details on this approach.

V. SUMMARY ANDFUTUREWORK A. Why Bayesian prior robustness?

In order to improve on the static nature of the FTA, Bayesian approaches have been proposed. This includes the BN approach as well as a fully Bayesian implementation of the FTA. Bayesian approaches enable updating the prior beliefs based on the observed data using the Bayes theorem. While BN allows for dependency between events, it has some important drawbacks as highlighted in Section I-A. One of the main drawbacks of BN is that it requires specification of exact prior probabilities and can not account for any uncertainty around the specified values. This is an unrealistic requirement since often the prior information may be subject to uncertainty. A fully Bayesian implementation of FTA has an advantage over the BN in that it accounts for the uncertainty in the prior value by specifying a prior distribution for each of the elementary events.

In many complex applications though, eliciting priors on elementary/intermediate events is not straightforward for a number of reasons. Firstly, eliciting prior distributions can be subject to errors from multiple sources as discussed in Example IV-B. Secondly, for complex systems with very little prior data, getting experts to accurately elicit even a mean value can be challenging simply because of the lack of information.

Further in some applications, actual observed data is scarce at best. This implies that the posterior beliefs are nearly identical to the prior beliefs. This also implies that the mis-specifications to the prior distributions are also the mis-specifications to the posterior. Therefore, prior robustness analysis is essential.

One of the goals of this paper was to warn engineers about the potential pitfalls around the unique specification of prior distributions when employing a fully Bayesian approach to the FTA - namely, the various types of errors that can be made and the resulting uncertainty around the true priors. Here, we provide a way to model such uncertainty and evaluate the consequences.

B. Methodology proposed in this paper

In this paper, we develop a prior robustness approach for the fully Bayesian implementation of FTA. This now provides a way to model the uncertainties around the prior specifications and to quantify the effect these uncertainties have on the perceived reliability of the system. A prior robustness approach to Bayesian FTA has not been developed before.

Our approach is based on a new class of priors called the distorted band of priors [11] which are obtained by using convex and concave power functions. We develop the computational algorithms needed to implement this approach on Bayesian FTA. We also mathematically prove that these algorithms will always work and will accurately generate the distortion bands needed. Our mathematical contribution is detailed below.

We prove some important properties related to the distorted band class of priors. In particular we have shown that the lower/upper bounds of the distorted bands for the intermediate/top events can only be obtained by using the lower/upper bounds of the distorted bands for the elementary events. This property is important since it implies that it is sufficient and also necessary to sample only from the lower/upper bounds of the distorted bands for each of the elementary events in order to obtain the distorted bands for the intermediate/top events. If this property was not true, then one would have to sample from all the (infinite number of) distributions that are members of the distorted band of priors for an elementary event in order to obtain the accurate distorted bands for the intermediate/top events.

An important problem while working with the distorted band of priors is to be able to correctly elicit the power function parameter α. The value of α determines the width of the distortion band and thus quantifies the uncertainty around the specified prior distribution. The correct elicitation of α is therefore vital to be able to accurately estimate the uncertainty around the reliability of the system. Yet, there was no guidance on how to do this. We show how the power function parameter α can be elicited through the expert knowledge. We provide both an exact equation that can be solved using a computer code and also an approximation that does not require using a computer code.

Finally, we provide a step-by-step illustration of how this methodology can be implemented on a real life example.

C. What difference does it make?

for the top event. We use these examples to illustrate that minor distortions in the prior/posterior distributions of the elementary events can result in significant distortions to the prior/posterior distributions of the top event. These distortions can change the perceived reliability of the system highlighting the need for this kind of analysis to be implemented when using the fault tree approach to model complex events.

The two key messages here are: 1. A practical warning to the engineers that, wherever possible an extra effort should be placed on eliciting prior distributions with more precision so as to reduce the uncertainty in prior specification. 2. A prior robustness approach such as the one developed here should be employed to quantify the uncertainty around the Bayesian analysis so as to get a more realistic model of the reliability of the system.

We also show that this methodology can be just as easily applied for non-Bernoulli data by illustrating its use to model time to failure in a triple modular redundancy system. Indeed, the distortion bands can be obtained for any distribution using the algorithms described in this paper.

An important point to note is that the use of the distorted band class of priors actually relaxes the distributional assumptions made when eliciting a prior distribution (whether it is Beta or Exponential or any other). This is because the class will contain (infinitely many) distributions which will not follow the form of the original prior. Therefore, the resulting analysis can be considered to be largely independent of any distributional assumptions made.

D. Future work

The spacecraft re-entry example discussed also uses the AHP to elicit priors for some of the elementary events. The AHP itself is also subject to errors due to mis-specification. The approach proposed here assumes that the distortions due to the mis-specification in the AHP are also taken into account while eliciting the power function parameter α. A robustness approach to explicitly quantify the distortions to AHP will be an important future contribution.

BN have been shown to be a superior alternative to FTA, especially when the independence assumption is not met. However, BN not only require specification of exact prior probabilities but also the conditional probabilities to define dependencies between events. As the number of nodes and dependencies increase, the BN require an increasingly large amount of prior specification. The BN outcome is therefore subject to the mis-specification of not only the priors but also of conditional probabilities. An important future contribution would be to develop a Bayesian prior robustness approach for BN.

ACKNOWLEDGMENT

The authors would like to thank the three anonymous referees and the Associate Editor for their valuable feedback

which has helped in greatly improving this paper. REFERENCES

[1] A. Bobbio, L. Portinale, M. Minichino, and E. Ciancamerla, “Improving the analysis of dependable systems by mapping fault trees into bayesian networks,” Reliability Engineering and System Safety, vol. 71, pp. 249 – 260, 2001.

[2] N. Khakzad, F. Khan, and P. Amyotte, “Safety analysis in process facilities: Comparison of fault tree and bayesian network approaches,” Reliability Engineering and System Safety, vol. 96, pp. 925 – 932, 2011. [3] P. Trucco, E. Cagno, F. Ruggeri, and O. Grande, “A Bayesian belief network modelling of organisational factors in risk analysis: A case study in maritime transportation,” Reliability Engineering and System Safety, vol. 93, pp. 823 – 834, 2008.

[4] D. Neidermayer, “An introduction to bayesian networks and their contemporary applications,” in Innovations in Bayesian Networks, 2008, ed. D. E. Holmes and L.C. Jain.

[5] C. DePersis, A risk assessment tool for highly energetic break-up events during the atmospheric re-entry. Trinity College Dublin, Ireland, 2016, Ph.D. Thesis.

[6] D. Lindley and N. Singpurwalla, “Reliability (and fault tree) analysis using expert opinions,” Journal of the American Statistical Association, vol. 81, no. 393, pp. 87 – 90, 1986.

[7] A. Irving, “Fault tree uncertainty analysis using a Monte Carlo method,” in10th_{Advances in Reliability Technology Symposium, 1988, ed. G.P.}

Libberton.

[8] A. Hagan and M. West, The Oxford Handbook of Applied Bayesian Analysis, ser. Oxford Handbooks in Mathematics. OUP Oxford, 2010. [9] H.-H. Por and D. V. Budescu, “Eliciting subjective probabilities through pair-wise comparisons,” Journal of Behavioral Decision Making, vol. 30, no. 2, 2017.

[10] T. A. Mazzuchi, W. G. Linzey, and A. Bruning, “A paired comparison experiment for gathering expert judgment for an aircraft wiring risk assessment,” Reliability Engineering & System Safety, vol. 93, no. 5, pp. 722 – 731, 2008.

[11] J. P. Arias-Nicol´as, F. Ruggeri, and A. Su´arez-Lorens, “New classes of priors based on stochastic orders and distortion function,” Bayesian Analysis, vol. 11, no. 4, pp. 1107 – 1136, 2016.

[12] J. Berger, D. R´ıos Insua, and F. Ruggeri, “Bayesian robustness,” in Robust Bayesian Analysis, 2000, ed. D. R´ıos Insua and F. Ruggeri. [13] E. Moreno, “Global bayesian robustness for some classes of prior

distributions,” in Robust Bayesian Analysis, 2000, ed. D. R´ıos Insua and F. Ruggeri.

[14] D. R´ıos Insua and F. Ruggeri, Robust Bayesian Analysis. Springer, New York, 2000.

[15] M. Shaked and G. Shanthikumar, Stochastic Orders, ser. Springer Series in Statistics. Springer-Verlag New York, 2007.

[16] A. M¨uller and D. Stoyan, Comparison Methods for Stochastic Models and Risk. John Wiley & Sons Inc., Chichester, 2002.

[17] F. Spizzichino, Subjective probability models for lifetimes. Chapman and Hall, CRC, Boca Raton, 2001.

[18] C. P. Robert and G. Casella, Monte Carlo Statistical Methods, 2nd ed. Springer, New York, 2004.

Chaitanya Joshi Chaitanya Joshi is a Senior Lecturer at the Department of Mathematics and Statistics, University of Waikato, Hamilton, New Zealand. He received his B.Sc. degree in Statistics from University of Mumbai, his M.Sc. degree in Statistice from the Indian Institute of Technology Kanpur and his Ph.D. degree in Statistics from Trinity College Dublin, Ireland.

His main research interests include computational Bayesian methods, Bayesian robustness and statistical modeling of complex systems.

Fabrizio Ruggeri Fabrizio Ruggeri received the B.Sc. degree in Mathematics from the University of Milano, Italy; the M.Sc. degree in Statistics from Carnegie Mellon University, Pittsburgh, PA, USA; and the Ph.D. degree in Statistics from Duke University, Durham, NC, USA.

He is Research Director at the Italian National Research Council in Milano, and Adjunct Faculty at Queensland University of Technology. His interests are mostly in Bayesian and industrial statistics, especially in robustness, decision analysis, reliability, and stochastic processes; recently, he got involved in biostatistics.

Dr. Ruggeri is ASA and ISBA Fellow, Zellner Medal recipient, ISI Elected Member, former ISBA and ENBIS President, and current ISI Vice President and ISBIS President-Elect, besides Chair of the ISBA Industrial Section. He is also Editor-in-Chief of Applied Stochastic Models in Business and Industry, Encyclopedia of Statistics in Quality and Reliability, and Wiley StatsRef Online.